Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As used in this disclosure, "module," "device," "system," and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, or software in execution. In particular, for example, an element may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. Also, an application or script running on a server, or a server, may be an element. One or more elements may be in a process and/or thread of execution and an element may be localized on one computer and/or distributed between two or more computers and may be operated by various computer-readable media. The elements may also communicate by way of local and/or remote processes based on a signal having one or more data packets, e.g., from a data packet interacting with another element in a local system, distributed system, and/or across a network in the internet with other systems by way of the signal.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The invention provides an industrial protocol message recording device and method based on condition triggering. The message recording method can record the message aiming at the whole industrial control system or specific important intelligent equipment, can set a series of trigger conditions, and records the message of the related equipment only when the trigger conditions are met. In order to obtain a complete message, the device caches a message with a preset duration in the memory all the time, and when message recording is triggered, the message is recorded together with the subsequent message after being merged. The recorded message is compressed and stored in the form of a file, which is called a message record file. Meanwhile, a message recording event database is established, event information triggering message recording each time and a corresponding message recording file path are stored in the database, and indexes are established according to message recording time, triggering conditions, relevant equipment and other information, so that the corresponding message recording file can be quickly positioned during problem analysis.
As shown in fig. 1, an embodiment of the present invention provides an industrial protocol packet recording apparatus 100, which is applied to an industrial control network system, where the industrial protocol packet recording apparatus 100 includes:
the message prerecording module 110 is configured to collect and record an industrial protocol message from a communication interface of the industrial control network system;
a message parsing module 120, configured to parse the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, where the message record triggering condition includes an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
a message recording module 130, configured to, when it is determined that the industrial protocol message meets a message recording trigger condition, at least store the currently recorded industrial protocol message;
and the first skipping module 140 is configured to skip to the message prerecording module when it is determined that the industrial protocol message does not conform to the message recording trigger condition.
According to the embodiment of the invention, the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the preset message record triggering conditions comprising the abnormal industrial protocol function code and/or the abnormal point address and/or the abnormal point value, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured. The complete and reliable recorded data is provided for the problems of abnormal functions or network attacks suffered by the industrial control system and the like.
As shown in fig. 2, in some embodiments, the apparatus 100 for recording an industrial protocol packet further includes:
a duration determining module 120' configured to determine whether a duration of the currently recorded industrial protocol packet exceeds a set threshold;
the message deleting module 130' is configured to delete a previously recorded part of the currently recorded industrial protocol messages in the currently recorded industrial protocol messages when it is determined that the duration of the currently recorded industrial protocol messages exceeds a set threshold;
for example, the threshold is set to 10s, and when the message pre-recording module 110 records the industrial protocol message from 1 st second to record the industrial protocol message for 10 seconds, a part of the previously recorded industrial protocol message is deleted (for example, the industrial protocol message recorded in 1 st second, or the industrial protocol message recorded in 2 nd second or 3 rd second, etc., which is not limited in this invention).
And the second skipping module 140' is used for skipping to the message prerecording module when the duration for recording the industrial protocol message currently does not exceed the set threshold.
In the embodiment of the invention, the storage file formed by the finally recorded and cached industrial protocol message can be ensured not to be too large by judging whether the time length of the currently recorded industrial protocol message exceeds the set threshold value in real time. Specifically, the inventor finds that any abnormal function or network attack suffered in an industrial control system has a certain duration, so that when recording related industrial protocol messages, long-time recording is not needed, and only the messages with a preset duration need to be recorded (the preset duration does not exceed a set threshold, and the set threshold can be determined according to the average duration of the abnormal function and the network attack counted historically), so that the integrity of the recorded messages can be ensured, and the overhead caused by message data storage can be minimized; on the other hand, the data volume of later query retrieval is reduced, and the efficiency of problem location is improved.
In some embodiments, the storing at least the currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
For example, the preset time may be 10s, and with reference to the set threshold value of 10s in the foregoing embodiment, the industrial protocol packets stored in this embodiment are 10s of industrial protocol packets already recorded before the current time point and 10s of industrial protocol packets continuously recorded after the current time point, and 20s of industrial protocol packets are recorded in total. In the embodiment of the invention, the currently recorded industrial protocol message is saved, and the subsequent industrial protocol message is continuously acquired through the corresponding communication interface, so that the integrity of the finally recorded industrial protocol message is ensured.
As shown in fig. 3, an embodiment of the present invention provides an industrial protocol packet recording method, which is applied to an industrial control network system, and the method includes:
s10, collecting and recording industrial protocol messages from the communication interface of the industrial control network system;
s20, analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
s30, if yes, at least storing the currently recorded industrial protocol message;
s40, if not, returning to the step S10.
According to the embodiment of the invention, the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the preset message record triggering conditions comprising the abnormal industrial protocol function code and/or the abnormal point address and/or the abnormal point value, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured. The complete and reliable recorded data is provided for the problems of abnormal functions or network attacks suffered by the industrial control system and the like.
As shown in fig. 4, in some embodiments, the industrial protocol message record of the present invention further includes:
s20', judging whether the time length of the current recorded industrial protocol message exceeds a set threshold value;
s30', if yes, deleting the previously recorded part of industrial protocol messages in the currently recorded industrial protocol messages;
s40', if not, then return to step S10.
In some embodiments, the storing at least the currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
In some embodiments, after storing at least the currently recorded industrial protocol message, further comprising: generating message recording event information according to the content information of the currently recorded industrial protocol message, wherein the message recording event information comprises: the message records a file name and/or path information and/or a recording time and/or trigger conditions and/or device information.
It should be noted that for simplicity of explanation, the foregoing method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention. In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The method for recording an industrial protocol message according to the embodiment of the present invention may be implemented by an industrial protocol message recording apparatus according to the embodiment of the present invention, and accordingly achieve the technical effect achieved by the apparatus for recording an industrial protocol message according to the embodiment of the present invention, and will not be described herein again. In the embodiment of the present invention, the relevant functional module may be implemented by a hardware processor (hardware processor).
In some embodiments, the industrial protocol message recording apparatus 100 of the present invention further includes a message collection module, which is composed of a message collection rule editor and a message collector. The message collecting rule editor takes the message identification information to be collected as a message collecting rule to be configured in the message collector.
As shown in fig. 5, the schematic block diagram of the message collection rule of the industrial protocol message recording device is shown, and includes a plurality of network ports, serial ports, and other communication interfaces, and different message collection rule lists are configured for different communication interfaces. The multiple message collection rules 0-n are in logical or relationship, that is, as long as any rule in the message collection rule list is matched, the matching is successful. The message identification information that different network protocols need to extract is different, and for the ethernet protocol, the message identification information includes: source equipment MAC address, source equipment IP address, source equipment port, destination equipment MAC address, destination equipment IP address, destination equipment port, transmission protocol and the like; for a serial port protocol, the message identification information includes: source device address identification, destination device address identification, and the like.
The message collection rules may include one or more of the above message identifications. When one message collection rule is configured with a plurality of message identifications, the plurality of message identifications are in a logical AND relationship, namely when all the message identifications configured by the message collection rule are matched, the message collection rule is successfully matched.
TABLE 1 example of rule configuration for Ethernet communications Collection
Table 1 ethernet communication collection rule configuration example collection rule 1 represents a message with collection source device MAC address of 68: F7:29: CE:3E: DF and IP address of 192.168.0.98. The 2 nd acquisition rule represents the message with the port of the acquisition source device being 1102 and the port of the acquisition destination device being 502. If a communication interface comprises the 1 st rule and the 2 nd rule at the same time, the message to be collected is collected as long as the message to be collected conforms to one of the collection rules.
Fig. 6 is a flowchart of an embodiment of a packet collector in the present invention. The method specifically comprises the following steps:
the message collector collects the message from the communication interface in the industrial control system network;
detecting whether a message acquisition rule list of a communication interface is empty;
if the number of the messages is null, all the collected messages in the industrial control system are forwarded to a message pre-recording module and a message analysis module;
if the message acquisition rule list of the communication interface is not empty, extracting message identification information;
and matching with each rule in the message acquisition rule list, wherein any matching rule is successful, the message is forwarded to the message pre-recording module and the message analysis module, and if all matching rules are unsuccessful, the message is discarded.
Fig. 7 is a schematic diagram of a workflow of an embodiment of a message pre-recording module according to the present invention. The method specifically comprises the following steps:
caching the communication implementation message in a memory;
detecting whether the cached message exceeds the caching duration, caching the message with the preset duration in a memory of the industrial protocol message recording device by a message pre-recording module, and caching a new communication message into the memory when the new communication message is received;
if the cached message exceeds the caching duration, deleting a part of previously cached messages in the currently cached message and ending; otherwise, whether the cached message exceeds the caching duration or not is continuously detected.
In some embodiments, the message analysis module consists of a trigger condition rule editor and a message analyzer.
The trigger condition rule editor defines the trigger condition rule according to the characteristic data of industrial protocol function code, point address, point value and the like, and stores the trigger condition rule in a trigger condition rule list for the message analyzer to use. The rules in the trigger condition rule list are in a logical or relationship, and as long as any rule is met, message recording is triggered and a corresponding message recording event is generated. The characteristic data in the trigger condition rule are in a logical AND relationship, and the message content must meet all the conditions in the trigger condition rule.
TABLE 2 examples of rules for trigger conditions
Serial number ID
|
Feature 1
|
Feature 2
|
Characteristic N
|
1
|
Function code read-hold register
|
|
|
2
|
Function code write-hold register
|
Dot address of 0
|
Value of<1000 |
The configuration of the Modbus protocol trigger condition rules is described in table 2. Rule 1, when the message function code is a read hold register message, it triggers the message record and generates the message record event. And the 2 nd rule shows that when the message function code is a write hold register, the write point address is 0, and the value is less than 1000, the message record is triggered, and a message record event is generated.
TABLE 3 event information examples
As shown in fig. 8, a work flow diagram of an embodiment of a message analysis module in the present invention includes:
acquiring a message;
judging whether the trigger condition list is empty or not;
if yes, not analyzing the message and ending;
if not, analyzing the message content, traversing the trigger condition rule list, specifically:
acquiring each trigger condition rule;
judging whether all the characteristic data in the rule are matched or not;
if not, judging whether all rules in the trigger condition rule list are traversed or not
If yes, ending;
if not, acquiring a trigger condition rule again and repeating the steps;
if yes, generating event information and forwarding the event to the message recording module.
In some embodiments, the message analyzer detects whether the trigger condition rule list is empty, and if so, does not perform message analysis. When the trigger condition rule list is not empty, the content of the message is analyzed, each rule in the trigger condition rule list is traversed, if the trigger condition rule is met, message recording event information is created according to the message content, and the event information is sent to the message recording module.
Fig. 9 is a flowchart illustrating an embodiment of a message recording module according to the present invention. The method specifically comprises the following steps:
acquiring the occurrence time of a message extraction event: the message recording module records event information according to the message generated by the message analysis module and extracts the time of the event;
extracting a history message with a certain duration from a message prerecording module;
simultaneously recording a real-time message after an event occurs;
after the message recording with the preset duration is finished, combining the historical message and the real-time message, and compressing the historical message and the real-time message to generate a message recording file;
and naming the message record file according to a preset naming rule and storing the file in a file system. After the message recording file is generated, the message recording module sends the file name, the path information and the event information to the message recording management module.
Table 4 message record content example
Message record ID
|
File name
|
Route of travel
|
Event ID
|
7
|
eth1-1-Modbus-543216331.tar.gz
|
/record/dev1
|
1
|
8
|
eth1-2-Modbus-543216333.tar.gz
|
/record/dev1
|
5 |
Fig. 10 is a flowchart of a message record management module according to an embodiment of the present invention. The method specifically comprises the following steps:
the message recording management module stores the message recording file name, the path and the message recording event information generated by the message recording module into a database;
establishing indexes according to information such as message recording time, triggering conditions, relevant equipment and the like;
automatically detecting the available space of the file system, continuously managing the message recording file by the message recording management module, and detecting whether the available space of the file system reaches a preset threshold value;
if the information in the historical message record file and the message record database is up, the information in the historical message record file and the message record database is automatically deleted, and the storage space requirement of system operation is ensured.
As shown in fig. 11, a flow chart of message record database information query, file acquisition and deletion in the present invention is shown. The method specifically comprises the following steps:
receiving a query condition;
searching and inquiring file information and time information;
judging whether to download the acquired message;
if yes, returning the message recording file and ending;
if not, further judging whether to delete the message;
if not, ending;
if so, deleting the message record information and the time information in the database;
and deleting the message record file in the file system and ending.
The user can quickly retrieve the message record and the event information through the message recording time, the triggering condition and the related equipment information, and the operation of acquiring and deleting the message record file is supported.
In some embodiments, the present invention provides a non-transitory computer readable storage medium, in which one or more programs including executable instructions are stored, where the executable instructions can be read and executed by an electronic device (including but not limited to a computer, a server, or a network device, etc.) to perform any one of the above-described industrial protocol message recording methods of the present invention.
In some embodiments, the present invention further provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform any of the above-described industrial protocol message recording methods.
In some embodiments, an embodiment of the present invention further provides an electronic device, which includes: the system includes at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform an industrial protocol messaging method.
In some embodiments, an embodiment of the present invention further provides a storage medium having a computer program stored thereon, where the program is executed by a processor, and the method for recording an industrial protocol message is provided.
Fig. 12 is a schematic diagram of a hardware structure of an electronic device that executes an industrial protocol message recording method according to another embodiment of the present application, and as shown in fig. 12, the electronic device includes:
one or more processors 1210 and a memory 1220, with one processor 1210 being an example in fig. 12.
The apparatus for performing the industrial protocol message recording method may further include: an input device 1230 and an output device 1240.
The processor 1210, memory 1220, input device 1230, and output device 1240 may be connected by a bus or other means, such as by a bus connection in fig. 12.
The memory 1220 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the industrial protocol message recording method in the embodiment of the present application. The processor 1210 executes various functional applications and data processing of the server by running the nonvolatile software program, instructions and modules stored in the memory 1220, that is, the method for recording the industrial protocol message according to the embodiment of the method is implemented.
The memory 1220 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the industrial protocol message recording apparatus, and the like. Further, the memory 1220 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 1220 optionally includes memory located remotely from the processor 1210, and such remote memory may be coupled to the industrial protocol message recording device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 1230 may receive input numeric or character information and generate signals related to user settings and functional control of the industrial protocol message recording device. The output device 1240 may include a display device such as a display screen.
The one or more modules are stored in the memory 1220, and when executed by the one or more processors 1210, perform the industrial protocol message recording method in any of the method embodiments described above.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(4) And other electronic devices with data interaction functions.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions substantially or contributing to the related art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.